Back to All Resources

Article

Avoid the Lure of Phishing Scams

April 26, 2024
Share:
Yellow envelopes caught by fishing hooks against a binary code background

Ransomware attacks get a great deal of press these days, but misdirected payment fraud continues to be a bread and butter scam for thieves. Often the fraud is perpetrated through phishing emails.

The emails typically mimic known vendors, making it easy to fall victim. However a few safeguards and keeping a vigilant eye for fraud can help prevent loss.

Local governments are easy targets for misdirected payment fraud, as publicly available board meeting agendas, summaries and minutes contain listings of vendors, items being purchased or bid and payment amounts.

Spotting and Avoiding a Scam

Although MCIT provides misdirected payment fraud coverage, its limit can easily be exceeded. These best practices can help members spot fraudulent requests before releasing funds:

  • Train all staff in techniques to identify phishing scams and how to report them.
  • Require that staff verify payment changes before authorizing a change. Best practice would be to call the vendor or payee using a known, previously verified phone number. Another option is personally to visit the payee.
  • Verification using email is not advised, but if used, start a new message to the vendor or payee and, again, use a known, previously verified email address for the vendor or payee. This should prevent the message from delivering to the perpetrators of the theft attempt.
  • Request that the member’s bank call a specific contact at the member to verify a transfer of funds outside of the United States before processing the release of funds. Most local governments do not send money internationally, but misdirected payment fraud is often perpetrated by those outside of the U.S.
  • Red flag Green Dot Bank in email systems. This online bank is frequently used in misdirected payment fraud scams.
  • Require the vendor or payee to complete and sign a new direct deposit or ACH form to provide documentation if an issue arises.
  • Limit the number of individuals who can make changes to a vendor or payee’s direct deposit or ACH information and train them on policies and procedures.
  • Investigate unusual requests, ask questions and verify the authenticity of the request.

MCIT risk management consultant Richard Miehe can assist members with their cyber-security risk management efforts. He has a special focus in this area. Reach Miehe at extension 6431 or email him.

Report Known or Suspected Incidents Immediately

Members should report a misdirected payment incident to MCIT upon discovery. The sooner MCIT can begin investigating the situation, the more likely funds can be recovered. Members should submit claims through the online member portal (see orange button at top or bottom of page).

Questions regarding submitting a claim can be directed to Director of Claims Zahir Siddiqui at extension 6442 or email him.

Topics

Cybersecurity and data breach